fwd:cloudsec Europe 2024

Service Agents and the Search for Transitive Access in GCP
2024-09-17 , Main Room

Service Agents are the ‘per-project, per-product’ machine identity in Google Cloud. When Cloud Build deploys a container or writes a container to a registry, it's the Service Agent that enables this service-to-service auth.
In this talk, we'll hoist Service Agents on a lift and inspect their undercarriage, questioning why Google Cloud frequently sets their auto-assigned permissions to admin level yet positions them as inconsequential.

We’ll challenge the perception that Service Agents are inherently safe, shattering the party line that their administrative power is without the potential for abuse by a malicious actor in the project. The audience will learn about transitive access techniques, revealing how Service Agents' permissions can be exploited to manipulate services and data, even without direct resource access.

I will make these risks concrete by releasing a case of Service Agent abuse resulting in data exfiltration, bypassing the need for explicit Storage permissions. Using the transitivity principle, I will demonstrate how service functionality puts the end user in the driver's seat, directing a Service Agent's actions to achieve unauthorized data access.

Attendees will ride to the underbelly of Google Cloud's machine identity ecosystem, where assumptions are confronted, and the security implications may reshape their understanding of Service Agents. Please keep all hands and feet inside the moving vehicle at all times.

See also:

Kat Traxler is the Principal Security Researcher at Vectra AI focusing on abuse techniques and vulnerabilities in the public cloud. Prior to her current role, she worked in various stages in the SDLC performing web application penetration testing and security architecture design for Web, IAM, Payment Technologies and Cloud Native Technologies.

Kat’s research philosophy directs her work to where design flaws and misconfigurations are most probable. This guiding principle leads her research to the intersection of technologies, particularly the convergence of cloud security and application security and where the OS-layer interfaces with higher-level abstractions.

Kat has presented at various conferences including the SANS CloudSecNext Summit and fwd:CloudSec on topics such as privilege escalation in GCP, and bug-hunting in the cloud. In addition to her work at Vectra AI, she is a member of IAN Faculty and the Lead Author of the SANS SEC549 - Enterprise Cloud Security Architecture and currently holds multiple GIAC certifications. You can find her on the internet as @nightmareJS